2 "map access: known scalar += value_ptr from different maps",
4 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5 offsetof(struct __sk_buff, len)),
6 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
10 BPF_LD_MAP_FD(BPF_REG_1, 0),
11 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12 BPF_LD_MAP_FD(BPF_REG_1, 0),
13 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
14 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15 BPF_MOV64_IMM(BPF_REG_1, 4),
16 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
17 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
18 BPF_MOV64_IMM(BPF_REG_0, 1),
21 .fixup_map_hash_16b = { 5 },
22 .fixup_map_array_48b = { 8 },
27 "map access: value_ptr -= known scalar from different maps",
29 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
30 offsetof(struct __sk_buff, len)),
31 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
32 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
33 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
34 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
35 BPF_LD_MAP_FD(BPF_REG_1, 0),
36 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
37 BPF_LD_MAP_FD(BPF_REG_1, 0),
38 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
39 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
40 BPF_MOV64_IMM(BPF_REG_1, 4),
41 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
42 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
43 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
44 BPF_MOV64_IMM(BPF_REG_0, 1),
47 .fixup_map_hash_16b = { 5 },
48 .fixup_map_array_48b = { 8 },
50 .result_unpriv = REJECT,
51 .errstr_unpriv = "R0 min value is outside of the allowed memory range",
55 "map access: known scalar += value_ptr from different maps, but same value properties",
57 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
58 offsetof(struct __sk_buff, len)),
59 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
60 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
61 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
62 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
63 BPF_LD_MAP_FD(BPF_REG_1, 0),
64 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
65 BPF_LD_MAP_FD(BPF_REG_1, 0),
66 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
67 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
68 BPF_MOV64_IMM(BPF_REG_1, 4),
69 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
70 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
71 BPF_MOV64_IMM(BPF_REG_0, 1),
74 .fixup_map_hash_48b = { 5 },
75 .fixup_map_array_48b = { 8 },
80 "map access: mixing value pointer and scalar, 1",
82 // load map value pointer into r0 and r2
83 BPF_MOV64_IMM(BPF_REG_0, 1),
84 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
85 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
86 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
87 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
88 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
89 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
91 // load some number from the map into r1
92 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
93 // depending on r1, branch:
94 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
96 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
97 BPF_MOV64_IMM(BPF_REG_3, 0),
100 BPF_MOV64_IMM(BPF_REG_2, 0),
101 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
102 // common instruction
103 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
104 // depending on r1, branch:
105 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
109 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
110 // verifier follows fall-through
111 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
112 BPF_MOV64_IMM(BPF_REG_0, 0),
114 // fake-dead code; targeted from branch A to
115 // prevent dead code sanitization
116 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
117 BPF_MOV64_IMM(BPF_REG_0, 0),
120 .fixup_map_array_48b = { 1 },
122 .result_unpriv = REJECT,
123 .errstr_unpriv = "R2 tried to add from different maps, paths or scalars",
127 "map access: mixing value pointer and scalar, 2",
129 // load map value pointer into r0 and r2
130 BPF_MOV64_IMM(BPF_REG_0, 1),
131 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
132 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
134 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
135 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
136 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
138 // load some number from the map into r1
139 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
140 // depending on r1, branch:
141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
143 BPF_MOV64_IMM(BPF_REG_2, 0),
144 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
147 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
148 BPF_MOV64_IMM(BPF_REG_3, 0),
149 // common instruction
150 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
151 // depending on r1, branch:
152 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
156 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
157 // verifier follows fall-through
158 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
159 BPF_MOV64_IMM(BPF_REG_0, 0),
161 // fake-dead code; targeted from branch A to
162 // prevent dead code sanitization
163 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
164 BPF_MOV64_IMM(BPF_REG_0, 0),
167 .fixup_map_array_48b = { 1 },
169 .result_unpriv = REJECT,
170 .errstr_unpriv = "R2 tried to add from different maps, paths or scalars",
174 "sanitation: alu with different scalars 1",
176 BPF_MOV64_IMM(BPF_REG_0, 1),
177 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
178 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
180 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
181 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
182 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
184 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
185 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
186 BPF_MOV64_IMM(BPF_REG_2, 0),
187 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
189 BPF_MOV64_IMM(BPF_REG_2, 42),
190 BPF_MOV64_IMM(BPF_REG_3, 0x100001),
191 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
192 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
195 .fixup_map_array_48b = { 1 },
200 "sanitation: alu with different scalars 2",
202 BPF_MOV64_IMM(BPF_REG_0, 1),
203 BPF_LD_MAP_FD(BPF_REG_1, 0),
204 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
207 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
208 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
209 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
210 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
211 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
213 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
214 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
215 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
216 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
217 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
220 .fixup_map_array_48b = { 1 },
222 .retval = -EINVAL * 2,
225 "sanitation: alu with different scalars 3",
227 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
228 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
229 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
230 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
231 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
232 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
233 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
234 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
235 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
239 .retval = -EINVAL * 2,
242 "map access: value_ptr += known scalar, upper oob arith, test 1",
244 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
245 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
247 BPF_LD_MAP_FD(BPF_REG_1, 0),
248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
250 BPF_MOV64_IMM(BPF_REG_1, 48),
251 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
252 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
253 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
254 BPF_MOV64_IMM(BPF_REG_0, 1),
257 .fixup_map_array_48b = { 3 },
259 .result_unpriv = REJECT,
260 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
264 "map access: value_ptr += known scalar, upper oob arith, test 2",
266 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
267 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
269 BPF_LD_MAP_FD(BPF_REG_1, 0),
270 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
272 BPF_MOV64_IMM(BPF_REG_1, 49),
273 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
274 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
275 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
276 BPF_MOV64_IMM(BPF_REG_0, 1),
279 .fixup_map_array_48b = { 3 },
281 .result_unpriv = REJECT,
282 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
286 "map access: value_ptr += known scalar, upper oob arith, test 3",
288 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
289 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
291 BPF_LD_MAP_FD(BPF_REG_1, 0),
292 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
294 BPF_MOV64_IMM(BPF_REG_1, 47),
295 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
296 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
297 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
298 BPF_MOV64_IMM(BPF_REG_0, 1),
301 .fixup_map_array_48b = { 3 },
303 .result_unpriv = REJECT,
304 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
308 "map access: value_ptr -= known scalar, lower oob arith, test 1",
310 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
313 BPF_LD_MAP_FD(BPF_REG_1, 0),
314 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
316 BPF_MOV64_IMM(BPF_REG_1, 47),
317 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
318 BPF_MOV64_IMM(BPF_REG_1, 48),
319 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
320 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
321 BPF_MOV64_IMM(BPF_REG_0, 1),
324 .fixup_map_array_48b = { 3 },
326 .errstr = "R0 min value is outside of the allowed memory range",
327 .result_unpriv = REJECT,
328 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
331 "map access: value_ptr -= known scalar, lower oob arith, test 2",
333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
336 BPF_LD_MAP_FD(BPF_REG_1, 0),
337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
338 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
339 BPF_MOV64_IMM(BPF_REG_1, 47),
340 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
341 BPF_MOV64_IMM(BPF_REG_1, 48),
342 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
343 BPF_MOV64_IMM(BPF_REG_1, 1),
344 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
345 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
346 BPF_MOV64_IMM(BPF_REG_0, 1),
349 .fixup_map_array_48b = { 3 },
351 .result_unpriv = REJECT,
352 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
356 "map access: value_ptr -= known scalar, lower oob arith, test 3",
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
361 BPF_LD_MAP_FD(BPF_REG_1, 0),
362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
364 BPF_MOV64_IMM(BPF_REG_1, 47),
365 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
366 BPF_MOV64_IMM(BPF_REG_1, 47),
367 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
369 BPF_MOV64_IMM(BPF_REG_0, 1),
372 .fixup_map_array_48b = { 3 },
374 .result_unpriv = REJECT,
375 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
379 "map access: known scalar += value_ptr",
381 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
382 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
384 BPF_LD_MAP_FD(BPF_REG_1, 0),
385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
386 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
387 BPF_MOV64_IMM(BPF_REG_1, 4),
388 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
389 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
390 BPF_MOV64_IMM(BPF_REG_0, 1),
393 .fixup_map_array_48b = { 3 },
398 "map access: value_ptr += known scalar, 1",
400 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
401 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
403 BPF_LD_MAP_FD(BPF_REG_1, 0),
404 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
405 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
406 BPF_MOV64_IMM(BPF_REG_1, 4),
407 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
408 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
409 BPF_MOV64_IMM(BPF_REG_0, 1),
412 .fixup_map_array_48b = { 3 },
417 "map access: value_ptr += known scalar, 2",
419 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
422 BPF_LD_MAP_FD(BPF_REG_1, 0),
423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
424 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
425 BPF_MOV64_IMM(BPF_REG_1, 49),
426 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
427 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
428 BPF_MOV64_IMM(BPF_REG_0, 1),
431 .fixup_map_array_48b = { 3 },
433 .errstr = "invalid access to map value",
436 "map access: value_ptr += known scalar, 3",
438 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
439 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
441 BPF_LD_MAP_FD(BPF_REG_1, 0),
442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
443 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
444 BPF_MOV64_IMM(BPF_REG_1, -1),
445 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
446 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
447 BPF_MOV64_IMM(BPF_REG_0, 1),
450 .fixup_map_array_48b = { 3 },
452 .errstr = "invalid access to map value",
455 "map access: value_ptr += known scalar, 4",
457 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
458 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
460 BPF_LD_MAP_FD(BPF_REG_1, 0),
461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
462 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
463 BPF_MOV64_IMM(BPF_REG_1, 5),
464 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
465 BPF_MOV64_IMM(BPF_REG_1, -2),
466 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
467 BPF_MOV64_IMM(BPF_REG_1, -1),
468 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
469 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
470 BPF_MOV64_IMM(BPF_REG_0, 1),
473 .fixup_map_array_48b = { 3 },
475 .result_unpriv = REJECT,
476 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
480 "map access: value_ptr += known scalar, 5",
482 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
483 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
485 BPF_LD_MAP_FD(BPF_REG_1, 0),
486 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
487 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
488 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
489 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
490 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
493 .fixup_map_array_48b = { 3 },
495 .retval = 0xabcdef12,
498 "map access: value_ptr += known scalar, 6",
500 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
503 BPF_LD_MAP_FD(BPF_REG_1, 0),
504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
505 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
506 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
507 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
508 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
509 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
510 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
513 .fixup_map_array_48b = { 3 },
515 .retval = 0xabcdef12,
518 "map access: value_ptr += N, value_ptr -= N known scalar",
520 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
521 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
523 BPF_LD_MAP_FD(BPF_REG_1, 0),
524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
526 BPF_MOV32_IMM(BPF_REG_1, 0x12345678),
527 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
529 BPF_MOV64_IMM(BPF_REG_1, 2),
530 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
531 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
534 .fixup_map_array_48b = { 3 },
536 .retval = 0x12345678,
539 "map access: unknown scalar += value_ptr, 1",
541 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
544 BPF_LD_MAP_FD(BPF_REG_1, 0),
545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
547 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
548 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
549 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
550 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
551 BPF_MOV64_IMM(BPF_REG_0, 1),
554 .fixup_map_array_48b = { 3 },
559 "map access: unknown scalar += value_ptr, 2",
561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
562 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
564 BPF_LD_MAP_FD(BPF_REG_1, 0),
565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
566 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
567 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
568 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
569 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
570 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
573 .fixup_map_array_48b = { 3 },
575 .retval = 0xabcdef12,
576 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
579 "map access: unknown scalar += value_ptr, 3",
581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
582 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
584 BPF_LD_MAP_FD(BPF_REG_1, 0),
585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
587 BPF_MOV64_IMM(BPF_REG_1, -1),
588 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
589 BPF_MOV64_IMM(BPF_REG_1, 1),
590 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
591 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
592 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
593 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
597 .fixup_map_array_48b = { 3 },
599 .result_unpriv = REJECT,
600 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
601 .retval = 0xabcdef12,
602 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
605 "map access: unknown scalar += value_ptr, 4",
607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
610 BPF_LD_MAP_FD(BPF_REG_1, 0),
611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
613 BPF_MOV64_IMM(BPF_REG_1, 19),
614 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
615 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
616 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
617 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
618 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
621 .fixup_map_array_48b = { 3 },
623 .errstr = "R1 max value is outside of the allowed memory range",
624 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
625 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
628 "map access: value_ptr += unknown scalar, 1",
630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
631 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
633 BPF_LD_MAP_FD(BPF_REG_1, 0),
634 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
635 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
636 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
637 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
638 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
639 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
640 BPF_MOV64_IMM(BPF_REG_0, 1),
643 .fixup_map_array_48b = { 3 },
648 "map access: value_ptr += unknown scalar, 2",
650 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
653 BPF_LD_MAP_FD(BPF_REG_1, 0),
654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
655 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
656 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
657 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
658 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
659 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
662 .fixup_map_array_48b = { 3 },
664 .retval = 0xabcdef12,
665 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
668 "map access: value_ptr += unknown scalar, 3",
670 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
671 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
672 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
673 BPF_LD_MAP_FD(BPF_REG_1, 0),
674 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
676 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
677 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
678 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
679 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
680 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
681 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
682 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
683 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
684 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
685 BPF_MOV64_IMM(BPF_REG_0, 1),
687 BPF_MOV64_IMM(BPF_REG_0, 2),
688 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
690 .fixup_map_array_48b = { 3 },
695 "map access: value_ptr += value_ptr",
697 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
700 BPF_LD_MAP_FD(BPF_REG_1, 0),
701 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
703 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
704 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
705 BPF_MOV64_IMM(BPF_REG_0, 1),
708 .fixup_map_array_48b = { 3 },
710 .errstr = "R0 pointer += pointer prohibited",
713 "map access: known scalar -= value_ptr",
715 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
716 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
718 BPF_LD_MAP_FD(BPF_REG_1, 0),
719 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
721 BPF_MOV64_IMM(BPF_REG_1, 4),
722 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
723 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
724 BPF_MOV64_IMM(BPF_REG_0, 1),
727 .fixup_map_array_48b = { 3 },
729 .errstr = "R1 tried to subtract pointer from scalar",
732 "map access: value_ptr -= known scalar",
734 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
737 BPF_LD_MAP_FD(BPF_REG_1, 0),
738 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
740 BPF_MOV64_IMM(BPF_REG_1, 4),
741 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
742 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
743 BPF_MOV64_IMM(BPF_REG_0, 1),
746 .fixup_map_array_48b = { 3 },
748 .errstr = "R0 min value is outside of the allowed memory range",
751 "map access: value_ptr -= known scalar, 2",
753 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
756 BPF_LD_MAP_FD(BPF_REG_1, 0),
757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
759 BPF_MOV64_IMM(BPF_REG_1, 6),
760 BPF_MOV64_IMM(BPF_REG_2, 4),
761 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
762 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
763 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
764 BPF_MOV64_IMM(BPF_REG_0, 1),
767 .fixup_map_array_48b = { 3 },
769 .result_unpriv = REJECT,
770 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
774 "map access: unknown scalar -= value_ptr",
776 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
777 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
779 BPF_LD_MAP_FD(BPF_REG_1, 0),
780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
782 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
783 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
784 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
785 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
786 BPF_MOV64_IMM(BPF_REG_0, 1),
789 .fixup_map_array_48b = { 3 },
791 .errstr = "R1 tried to subtract pointer from scalar",
794 "map access: value_ptr -= unknown scalar",
796 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
797 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
799 BPF_LD_MAP_FD(BPF_REG_1, 0),
800 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
802 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
803 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
804 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
805 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
806 BPF_MOV64_IMM(BPF_REG_0, 1),
809 .fixup_map_array_48b = { 3 },
811 .errstr = "R0 min value is negative",
814 "map access: value_ptr -= unknown scalar, 2",
816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
819 BPF_LD_MAP_FD(BPF_REG_1, 0),
820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
822 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
823 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
824 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
826 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
827 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
828 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
829 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
830 BPF_MOV64_IMM(BPF_REG_0, 1),
833 .fixup_map_array_48b = { 3 },
835 .result_unpriv = REJECT,
836 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
840 "map access: value_ptr -= value_ptr",
842 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
845 BPF_LD_MAP_FD(BPF_REG_1, 0),
846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
847 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
848 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
849 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
850 BPF_MOV64_IMM(BPF_REG_0, 1),
853 .fixup_map_array_48b = { 3 },
855 .errstr = "R0 invalid mem access 'inv'",
856 .errstr_unpriv = "R0 pointer -= pointer prohibited",
859 "32bit pkt_ptr -= scalar",
861 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
862 offsetof(struct __sk_buff, data_end)),
863 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
864 offsetof(struct __sk_buff, data)),
865 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40),
867 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2),
868 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_7),
869 BPF_ALU32_REG(BPF_SUB, BPF_REG_6, BPF_REG_4),
870 BPF_MOV64_IMM(BPF_REG_0, 0),
873 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
875 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
878 "32bit scalar -= pkt_ptr",
880 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
881 offsetof(struct __sk_buff, data_end)),
882 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
883 offsetof(struct __sk_buff, data)),
884 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40),
886 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2),
887 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_6),
888 BPF_ALU32_REG(BPF_SUB, BPF_REG_4, BPF_REG_7),
889 BPF_MOV64_IMM(BPF_REG_0, 0),
892 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
894 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,